A group of cybersecurity researchers at the CISPA Helmholtz Center for Information Security recently identified three serious vulnerabilities in five commercial RISC-V CPUs, including GhostWrite, which allows an attacker to write arbitrary data from unprivileged states to any physical memory location.
GhostWrite is an unprivileged sequence of commands that allows attackers to write to selected physical locations, including attached devices.
Researchers demonstrate three end-to-end attacks that demonstrate how GhostWrite can read physical memory and enable arbitrary code execution in machine mode, even in cloud environments. In addition, RISCVuzz reveals two unprivileged halt-and-catch-fire instruction sequences that cause an unrecoverable CPU halt.
It has gained a lot of traction through support for the Linux kernel and has been adopted by consumer devices and cloud platforms. However, the flexibility of RISC-V has led to various hardware implementations with different features and security practices.
However, this can be achieved even without knowledge of the source code or emulators. The models are selected from different vendors and use differential CPU fuzzing to compare their architectural behavior.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Technical Analysis
The GhostWrite vulnerability in the T-Head XuanTie C910 RISC-V CPU is a hardware design flaw that poses a significant security risk.
This makes it possible to read physical memory and execute arbitrary machine mode code even when operating in cloud environments.
RISCVuzz also found two privileged instruction sequences that can cause unrecoverable CPU stalls, revealing significant security concerns when implementing RISC-V systems.
Even attackers with minimal system privileges can read and write any memory and manipulate peripherals such as network cards.
Ghostwrite eliminates all built-in security controls on the CPU, giving attackers absolute control over the entire system.
However, this vulnerability is made even worse by the fact that fixing it would mean disabling about 50% of the vulnerability’s functionality and would therefore not be an appropriate mitigation measure.
In addition to RISC-V ISA, which helps in handling huge amounts of information, these faulty instructions deal with physical memory by ignoring the virtual memory protection mechanisms and process isolation imposed by the operating system and hardware.
Unlike side-channel or transient execution attacks, GhostWrite is a direct CPU bug caused by malformed vector expansion instructions.
GhostWrite is a hardware-embedded flaw that cannot be fixed by software updates, allowing unprivileged attackers to write to any memory location, completely bypass security features, and gain uncontrolled device access.
In addition, it allows hackers to hijack hardware devices via memory-mapped I/O (MMIO) and execute arbitrary commands on these devices.
The second exploit demonstrates how the GhostWrite-based read capability can reveal any memory contents. When an administrator types a secret password into a trusted command prompt (left), the exploit (right) fills the physical memory with page tables.
This takes a few seconds on a system with 8GB of memory. The exploit then uses GhostWrite to modify one of these page tables so that the secret password can be read directly from physical memory.
Below we have listed all vulnerable devices: –
- Scaleway Elastic Metal RV1, bare metal C910 cloud instances
- Lichee Cluster 4A, computer cluster
- Lichee Book 4A, Laptop
- Lichee Console 4A, small laptop
- Lichee Pocket 4A, game console
- Sipeed Lichee Pi 4A, single board computer (SBC)
- Milk-V Meles, SBC
- BeagleV-Ahead, SBC
According to the report, GhostWrite was discovered through differential fuzz testing of RISC-V CPUs by comparing the results of small programs on different processors.
However, the T-Head XuanTie C910 reacted differently, as its execution did not trigger an exception as expected, but merely executed the vector memory instruction that was encoded illegally.
This indicates a direct, fatal physical memory write error that can bypass virtual memory protection systems.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
